chroot question

[Bill Larson]

This issue is not about cost, but false economy.  It is very common to
think that there is a big Solaris or HP-UX system sitting around not
doing anything except acting as a DNS server, "why not also use this
system as a mail server or a web server at the same time?"  

DNS is a critical infrastructure service for network operations.  For
this reason it is much better to implement single purpose DNS servers
for an organization rather than piggy-back other services, such as mail
and web, onto the DNS server.  This is the same idea as presented in
RFC2010, "Operational Criteria for Root Name Servers".  Although your
server will not be a root server, it will be important enough to your
organization that it should meet similar requirements as a root server.  

Basically, you should not assist the compromise of your DNS services by
providing these services on the same host that is providing mail and web
services also.  To redirect management desires to use the DNS server
system to provide additional services, I provided an alternative of
using an alternative operating system on a small system to insure that
the DNS services are provided on a dedicated system.

Whatever you do, insure that the systems that are providing your DNS
services are secure.  This requires more than just running "named" in a
chroot environment.  The security of the whole system must be assured to
insure that the DNS services are secure.

Bill Larson

lg042-5 wrote:
> 
> I agree with you about the cost, but my company (BIG European public
> company) doesn't want to use Linux.
> May be they can't trust people writing code for free.
> 
> Bill Larson <wllarso at swcp.com> a écrit dans le message :
> 9i1s6s$kl8 at pub3.rc.vix.com...
(Comments about potential alternative operating systems for providing
DNS services are deleted)